State without cyber-security officer for a year, official testifies

Nov. 28, 2012

Written by

Staff writer

COLUMBIA — The state has gone about a year without a cyber security officer, according to testimony today as the Senate opened hearings into the massive data breach at the Department of Revenue.

DOR Director Jim Etter, who has resigned but will remain as director until the end of the year said the agency’s $100,000 salary can’t compete with a private sector salary.

Etter says when his agency looked at encrypting data in 2006 it was decided it would cost $5 million and be “cost ineffective.” He said the Dept. of State Information Technology — is now monitoring SCDOR 24/7, which makes system more secure.

Senators also heard testimony from Marshall Heilman, director of Mandiant, the private cyber security firm hired by DOR after the breach.

Heilman gave a report on what caused the breach, pointing the finger at a lack of encrypted data and a lack of multi-factor credentials.

He said that said they know who the employee is who clicked on the phishing email.

A DOR employee opened an email that most likely allowed the hacker to get the employee’s credentials, giving him access to the system, Heilman said.

Heilman said that it’s my experience agencies don’t know what their important data is until there is an incident.

Senators say they can’t imagine any data more important to encrypt than Social Security numbers.

Senators asked SLED Chief Mark Keel, who is sitting in audience, if stolen Social Security numbers have been used. He replied “I don't know.”

Heilman said the hacker’s IP address was not from United States adn that the attacker used 4 different IP addresses to access SCDOR computer (could have been from same computer).

Heilman doesn’t know if the servers/databases could have handled it if there was encryption on SSNs and that new servers may be needed.